Hiteless ISSU

Rolling AP
Update/Upgrade
Infrastructure
Rolling AP Upgrade: Neighbor AP marking
How does it work?
• Group APs into multiple groups and upgrade one group at a time.
• Grouping is done based on RF neighbors
• Admin user can control the impact and determines the number of
iterations taken and the Rolling Upgrade time
• Candidate AP selection
• With N = 4: If the AP in blue is selected and 4 of its best neighbours marked
unavailable for selection. The resultant selection will be about P = 50% of APs
• For P = 25%, N = 6, expected iterations all ap upgrade ~ 5 > ~1h
• For P = 15%, N = 12, expected iterations all ap upgrade ~ 12 > ~2h
• For P = 5%, N= 24, expected iterations all ap upgrade ~ 22 > ~4h
• APs reload and re-join (AP image pre-download is used) determines the
Rolling AP Upgrade time
#CiscoLive BRKEWN-2846 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Rolling AP Upgrade: Neighbor AP marking
25% 15% 5%
User selects % of APs to upgrade in one go [5, 15, 25]

For 25%, Neighbors marked = 6 [Expected number of iterations ~ 5]
Rolling AP Upgrade: Client steering
Clients steered from candidate APs to non-
candidate APs
802.11v BSS Transition Request è

Dissociation Imminent
Clients that do not honor this will be de- 802.11v

authenticated before AP reload
Starting 17.11 AP stops responding to client

probes and association (in Flex)
N+1 Site Based
Hitless Upgrade
Catalyst 9800 IOS-XE 17.9.1
N+1 Site Based Hitless Upgrade
Primary Secondary
Mobility Tunnel • Use new Site Filters for per-site image
Version A
B Version B upgrades of APs in N+1 scenarios
• Like the previous N+1 Hitless Upgrades, APs

will pre-download the images
• During site upgrades, APs will upgrade to new

image in rolling fashion
• After the primary controller is upgraded, APs

can move back in similar fashion
Site Filter
AP upgrade workflow Site 1

Site 2
Primary Secondary
Add the new IOS XE image to the controller: Version A Mobility Tunnel Version B
1 install add file <Path to Image>
Version B
install add file bootflash:IOS-VersionB.bin
Add the sites that will be upgraded first to the site

2 filter:
ap image site-filter any-image add <Site Tag Name>
ap image site-filter any-image add Site1
Pre-download image to the APs:

3 ap image predownload
Pre-Download:
AP Image Version
B
Site Filter

Site 2
Primary Secondary
Move APs to the new destination WLC: Version A Mobility Tunnel Version B
4 ap image upgrade destination <Destination WLC Name>
<Destination WLC IP> Version B
ap image upgrade destination Secondary-WLC 10.10.110.4
APs will reload with the new image and join the
5 Secondary WLC on a rolling basis
As the APs successfully join the Secondary WLC, the

6 Secondary will update the Primary WLC.
Pre-Download:
AP Image Version
B
Site Filter

Site 2
Site 3
Primary Secondary
Version A Mobility Tunnel Version B
Add further sites to the site filter:
7 ap image site-filter any-image add <Site Tag Name>
Version B
Initiate the AP image pre-download, reload with the

new image, and join to the Secondary WLC in rolling
8
fashion:
ap image site-filter any-image apply

Pre-Download:
AP Image Version
B
Site Filter

Site 2
Site 3
Primary Secondary
Upgrade the rest of the sites by clearing the site filter: Version A Mobility Tunnel Version B
10 ap image site-filter any-image clear
Version B
APs at the remaining sites will pre-download the

11 image, reload with the new image, and join to the
Secondary WLC in rolling fashion.

13 Activate the new IOS XE image on the Primary WLC.
Pre-Download:
AP Image Version
B
Configuration via WebUI
Mobility Tunnel
Mobility Tunnel
Primary Controller
MAC Address and IP

Address of the WMI of the
Secondary
Mobility Tunnel
Secondary Controller
MAC Address and IP

Address of the WMI of the
Primary
Mobility Tunnel
N+1 Site Based Hitless Upgrade with WebUI
1 Check the box for Enable Hitless Upgrade
2 Set the Site Filter to Custom
1 Check the box for Enable Hitless Upgrade
2 Set the Site Filter to Custom
3 Select the required Site Tags
Set the Secondary Controller’s IP Address

4 and Hostname
5 Set the required AP Upgrade per Iteration
6 Check the box to enable Client Steering
Choose the required Accounting

7 Percentage and Accounting Action
8 Set the Iteration Expiry
9 Click Download & Install
Monitor the progress of the entire upgrade
10 in the Status Window
Click AP Upgrade Statistics to track each

11 iteration of AP upgrade

Wait for the current iteration of APs to finish

12 moving to the secondary controller


Once done, add the next Site Tag(s) to the

13 Site Filter and click Update Site Filter



14 Repeat Steps 12 and 13 as needed



14 Repeat Steps 12 and 13 as needed
15 All APs are upgraded when the Total is 0
Apply the upgrade by clicking

16 Save Configuration & Activate
Apply the upgrade by clicking

16 Save Configuration & Activate
After the controller reloads, commit the

17 upgrade by clicking Commit
If required, use the CLI to move the APs

18 back to the primary on a site-by-site basis
N+1 Hitless Upgrade with Cisco DNA Center
Create Mobility Group
1 Select the Primary Controller
2 Go to Provision è Configure WLC Mobility
Create Mobility Group
3 Add a new Mobility Group Name
4 Click Add to add a new Mobility Peer
In the Device Details, select the Secondary

5 WLC and click Save.
6 Click Configure Mobility
Enable Rolling AP Upgrade
Select the Primary WLC and go to

1 Provision è Provision Device
Enable Rolling AP Upgrade
Select the Primary WLC and go to

1 Provision è Provision Device
Check the box for Enable choose the AP

2 Reboot Percentage
3 Continue the device provisioning as normal
Upgrading the Primary Controller
Go through the image upgrade procedure
1 as normal
Can I use HA SSO Pair with N+1 Rolling

Upgrade?
Primary Secondary
Customers can stay in Secondary HA pair and
reduce the upgrade process by half Mobility Tunnel
Version A Version B
Add another layer of resiliency if the N+1 chassis

fails
Flexibility to upgrade each site while ensuring

resiliency
3 4 5 1 2
In-Service
Software
Upgrade (ISSU)
Why ISSU? What is ISSU ?
Eliminate network downtime during

controller upgrade process
Complete image upgrade
from one image to another
while traffic forwarding
continues
Eliminate the need for a dedicated N+1
controller in the upgrade process All AP/Client sessions
are retained during
upgrade process
Automate the process of upgrade

Pre-requisites:
without manual intervention ü Base image is ISSU capable
ü SSO pair in Active-Hot Standby
ü Controllers in INSTALL mode
Supported platforms for ISSU
Controllers
Catalyst 9800-L Catalyst 9800-40 Catalyst 9800-80
Catalyst 9800-CL
Private Cloud
1815W 1815I, 1815M 1832 1842 1852 2802 3802

Access Points
1700, 2700, 3700,
1570 Wave 1 APs
Wi-Fi 6 and 6E APs 4800

1540
1560
Wave 2 indoor and outdoor APs
Ensure APs are supported by target software version.
ISSU process Enables ISSU
APs running V1
Pre-download V2
Enables ISSU
Active Standby Active running V2 in SSO
with Standby running V1
V1 V2
SN
MeU
w
Image
APs running V1 on
Active controller
Install New Image on Standby Active Standby
running V2
V1 V2
New
Image
Switchover Standby Active

V2 V2
Rolling AP upgrade
New New
(Reset AP in staggered way)
Image Image
Install New Image on New Standby
Easy ISSU upgrade with WebUI!
1. Select the image you
want to upgrade to
2. Enable ISSU and
select % for Rolling AP
1
upgrade
2
3. Click Download and
Install
• Monitor the progress of ISSU
upgrade via the Status
section in GUI
• Any important messages will
trigger a popup window
Any time you can click on the Show

Logs to see what’s going on…
• During AP image upgrade, click on the

dedicated link to get detailed information
• Note: APs without clients are upgraded first
C9120-SJ-1 still not upgraded
sh ap upgrade
• Client steering happens on the AP with clients
• Once all clients are moved the AP is upgraded
Client steering in progress…
C9120-SJ-1 upgrade started…
client 2
client 1
client 3
• < 30 pings lost over 3k transmitted

• 0% ping loss in the whole process!!
Upgrading HA SSO Pair using ISSU and Cisco
DNA Center
Upload the ISSU Compatibility Matrix, if
1 not uploaded already
2 Re-Execute the Readiness Check
Upgrading HA SSO Pair using ISSU and Cisco
DNA Center
Go through the image upgrade
3 Enable ISSU Update for the Controller 4 procedure as normal
ISSU official support Matrix
17.3 17.4 17.5 17.6 17.7 17.8 17.9 17.10
Supported Not Supported

• Within EM release beyond +2 release
• N +2 - Within EM release (17.9.1 <> 17.9.3) • Across EM release beyond +2 release
• N +2 - Across EM release (17.3.X <> 17.9.X) • Across software release trains (e.g., 17.12 to 18.1)
• Within SM release (17.1.1 <> 17.1.2)
• Across SM release
• EM <> SM release
EM = Extended Maintenance release • Downgrade from any release to any release
SM = Standard Maintenance release • No support on Engineering Special (ES) releases
How can I improve AP image download time?

Before IOS XE 17.11.1 After IOS XE 17.11.1
nginx server
• AP image download
happens over CAPWAP • AP image download
CAPWAP Control Path HTTPs CAPWAP happens over HTTPs
Image • Slow by limitation with Image • Fast download speed

Control Path Control Path
download CAPWAP window size download
• Image downloads WNCd • Reduce CPU load and

process increases CPU frees up CAPWAP
work-load
Fallback to CAPWAP if HTTPs Failure
If any failure happens in image download

over http, it will fall back to CAPWAP
method to keep the upgrade functionality.
Supported Platforms
• All Physical and Virtual Appliances
• C9800-80, C9800-40, C9800-L, C9800-CL Private and Public Cloud
• Not Supported on:
• Embedded Wireless Controller on AP
CLI Configuration
• Enable AP image download through HTTPs

C9800# conf t
C9800(config)# ap upgrade method https
• Customize the HTTPs port number (default is 8443)
C9800(config)# ap file-transfer https port <port_number>
CLI Verifications
• Verify AP image download method enabled/disabled
C9800# show ap upgrade method
AP upgrade method HTTPS : Disabled
• Show command to verify AP file transfer port
C9800# show ap file-transfer https summary
Configured port : 8443

Operational port : 8443
CLI Verifications
• Verification of ap image download over https support
C9800# show ap name AP2800 config general | sec Upgrade
AP Upgrade Out-Of-Band Capability : Enabled
• Verification of ap image download history
C9800# show wireless stats ap image-download
AP image download info for last attempt

AP Name Count ImageSize StartTime EndTime Diff(secs) Predownload Aborted Method
AP_3800_1 1 60856320 11/14/22 12:31:21 11/14/22 12:32:21 59 No No HTTPS

AP2800 1 60856320 11/14/22 12:27:43 11/14/22 12:28:39 56 No No HTTPS
6. Software
Patching
Capability
^SMU on MD
Release only
Controller and AP software upgrades
Controller PSIRTs, Fixes New AP Model

Updates on APs Support
Controller update or bug fixes AP updates or bug fixes Hot-patchable support for Device Pack
SMU^ AP Service Pack AP Device Pack
Contain impact within release Faster resolution to critical issues

Fixes for defects and security issues Provide fixes to critical issues found in
without need to requalify a new release network devices that are time-sensitive
Wireless
Controller SMU
(Software
Maintenance
Update)
Wireless Controller SMU
Hot Patch Cold Patch
Wireless Controller SMU installation (No Wireless Controller reboot) Wireless Controller Reboot
Options Auto Install on Standby
§ Software Maintenance Update (SMU) is the Hot-Patching Cold Patching

ability to apply patch fixes on a software
release in the customer network Inline replace of functions Install of a SMU will require a
without restarting the process system reload
On SSO Systems, patch will be
§ Current mechanism relies on Engineering applied on both active and
Specials On SSO systems, SMU updates
standby without any reload
can be installed on the HA Pair
• Entire image is rebuilt and delivered to with zero downtime
customer
Wireless Controller SMU
Standalone vs Redundant Wireless Controller
§ Software Maintenance Update (SMU) is the ability to apply patch fixes on a software
release in the customer network
§ Current mechanism relies on Engineering Special: Entire image is rebuilt and delivered to
customer
Hot Patch Cold Patch

(No Wireless Controller reboot) Wireless Controller Reboot
Auto Install on Standby
No reload of Controller. AP & Reload controller. AP & Client

Standalone box Client session won’t be sessions would be affected.
affected.
SMU activation applies patch on Follows ISSU path and both

Redundant box Active & Standby. There is no Standby & Active controller
controller reload and there is no reloaded but there is no impact to
impact to AP and Client sessions. AP and Client session.
SMU Install via WebUI
SMU ISSU Install via CLI
C9800# install add file flash:C9800-L-universalk9_wlc.17.03.05a.CSCwb45089.SPA.smu.bin
install_add: START Tue Jan 10 15:01:47 PST 2023
install_add: Adding SMU
install_add: Checking whether new add is allowed ....
C9800# install activate file flash:C9800-L-universalk9_wlc.17.03.05a.CSCwb45089.SPA.smu.bin issu

install_activate: START Tue Jan 10 15:03:37 PST 2023
install_activate: Activating ISSU
C9800# install commit

install_commit: START Tue Jan 10 15:24:23 PST 2023
install_commit: Committing SMU
Per-site & Per-
AP Model
AP Service Pack
Per-site / Per-model
AP Service Pack Per-AP model Service Pack
APSP can have a subset of APs that are
affected by the update
AP Service Packs
Supported on all
platforms and all Update on Subset APs
deployment scenarios
Fix applied on a subset of APs in the
(Flex, Local and Fabric)
deployment using a site-filter
Per-model APSP
works in conjunction
with site-specific
rollout
Controlled Propagation
Enables user to control the propagation
Pre-downloaded to and of APSP in the network
activated on the affected AP
models only
APSP workflow
Applying APSP for 9115/9120 APs on per-site and per-model basis
ap image site-filter file APSP1 add SiteA ap image site-filter file APSP1 add Site B
Install prepare activate ap image file APSP1 site-filter apply
Install activate
Install commit
Not applicable for building with 9130AX
Apply on Site A in rolling AP fashion
9120AX APs 9115AX APs 9130AX APs 9120AX APs 9115AX APs
SiteA SiteB SiteC
AP Device Pack
(APDP)
AP Device Pack Contain Impact within release
Traditionally ... Deploy new hardware without need to
requalify a new controller release
With AP Device Packs

New AP hardware Reduce Lifecycle delays
models need new Faster deployment of latest AP hardware
WLC software and technology
Zero Network Downtime

Wait for CCO Plan for Applied as HOT patch on the controller
version and re- Upgrading with no service impact for APs and Client s
qualify new release entire network
APDP installation workflow
CLI WLC New AP
Install add
Install activate
Install commit
New AP Joins WLC
APDP installation workflow
Install add file new-dp.bin
Install activate file new-dp.bin
Install commit
9130AX APs 9115AX APs 9124AX APs
Note: Fixes for the AP installed via APDP will be via AP Service packs like a baseline supported AP.
Installing SMU, APDP, APSP with Cisco DNA
Center
Import/Download SMU/APDP/APSP into
1 inventory
Center
1 inventory
Click Add On for the required software

2 version
Center
1 inventory
Click Add On for the required software

2 version
Mark it as Golden, additionally to Golden

3 Image
Go through the image upgrade

4 procedure
Thank you
#CiscoLive

Hiteless ISSU

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Hiteless ISSU

Uploaded by

Copyright:

Available Formats

Rolling AP

User selects % of APs to upgrade in one go [5, 15, 25]

802.11v BSS Transition Request è

Clients that do not honor this will be de- 802.11v

Starting 17.11 AP stops responding to client

N+1 Site Based Hitless Upgrade

• Like the previous N+1 Hitless Upgrades, APs

• During site upgrades, APs will upgrade to new

• After the primary controller is upgraded, APs

AP upgrade workflow Site 1

Add the sites that will be upgraded first to the site

Pre-download image to the APs:

AP upgrade workflow Site 1

As the APs successfully join the Secondary WLC, the

AP upgrade workflow Site 1

Initiate the AP image pre-download, reload with the

As the APs successfully join the Secondary WLC, the

AP upgrade workflow Site 1

APs at the remaining sites will pre-download the

As the APs successfully join the Secondary WLC, the

13 Activate the new IOS XE image on the Primary WLC.

MAC Address and IP

MAC Address and IP

1 Check the box for Enable Hitless Upgrade

2 Set the Site Filter to Custom

1 Check the box for Enable Hitless Upgrade

2 Set the Site Filter to Custom

3 Select the required Site Tags

Set the Secondary Controller’s IP Address

6 Check the box to enable Client Steering

Choose the required Accounting

8 Set the Iteration Expiry

9 Click Download & Install

Click AP Upgrade Statistics to track each

Click AP Upgrade Statistics to track each

Wait for the current iteration of APs to finish

Click AP Upgrade Statistics to track each

Wait for the current iteration of APs to finish

Once done, add the next Site Tag(s) to the

Click AP Upgrade Statistics to track each

Wait for the current iteration of APs to finish

Once done, add the next Site Tag(s) to the

14 Repeat Steps 12 and 13 as needed

Click AP Upgrade Statistics to track each

Wait for the current iteration of APs to finish

Once done, add the next Site Tag(s) to the

14 Repeat Steps 12 and 13 as needed

15 All APs are upgraded when the Total is 0

15 All APs are upgraded when the Total is 0

Apply the upgrade by clicking

15 All APs are upgraded when the Total is 0

Apply the upgrade by clicking

After the controller reloads, commit the

If required, use the CLI to move the APs

1 Select the Primary Controller

2 Go to Provision è Configure WLC Mobility

3 Add a new Mobility Group Name

4 Click Add to add a new Mobility Peer

In the Device Details, select the Secondary

6 Click Configure Mobility

Select the Primary WLC and go to

Select the Primary WLC and go to

Check the box for Enable choose the AP

3 Continue the device provisioning as normal